AWS VPC Flow Logs do not use PCAP (Packet Capture) format. Instead, VPC Flow Logs capture metadata about the traffic flowing to and from network interfaces in a Virtual Private Cloud (VPC). This metadata is stored in a structured log format, typically in Amazon CloudWatch Logs or Amazon S3.

Data Captured by VPC Flow Logs

VPC Flow Logs capture information such as:

• Version: The version of the flow log format.
• Account ID: The ID of the AWS account that owns the network interface.
• Interface ID: The ID of the network interface for which traffic is recorded.
• Source Address: The source IP address of the traffic.
• Destination Address: The destination IP address of the traffic.
• Source Port: The source port of the traffic.
• Destination Port: The destination port of the traffic.
• Protocol: The IANA protocol number of the traffic (e.g., TCP is 6, UDP is 17).
• Packets: The number of packets transferred during the flow.
• Bytes: The number of bytes transferred during the flow.
• Start Time: The time at which the flow started.
• End Time: The time at which the flow ended.
• Action: Whether the traffic was accepted or rejected.
• Log Status: The status of the flow log.

Example of a VPC Flow Log Entry

Here is an example of a single VPC Flow Log entry:

Breakdown of the Example Entry

• 2: The version of the flow log format.
• 123456789012: The AWS account ID.
• eni-abc123de: The ID of the network interface.
• 192.168.1.1: The source IP address.
• 10.0.0.1: The destination IP address.
• 443: The destination port (HTTPS).
• 12345: The source port.
• 6: The protocol (TCP).
• 10: The number of packets transferred.
• 840: The number of bytes transferred.
• 1623101047: The start time of the flow (in Unix epoch time).
• 1623101107: The end time of the flow (in Unix epoch time).
• ACCEPT: The action taken (whether the traffic was accepted or rejected).
• OK: The log status (indicating the logging status).

Differences from PCAP

• Granularity: PCAP files capture the entire packet, including headers and payloads. VPC Flow Logs capture metadata about the flow, not the packet contents.
• Format: PCAP is a binary format, while VPC Flow Logs are plain text entries.
• Use Case: PCAP is used for detailed packet-level analysis, often in network troubleshooting and forensics. VPC Flow Logs are used for monitoring and analyzing network traffic patterns and security within AWS environments.

Usage of VPC Flow Logs

1. Security Monitoring: Analyze traffic patterns to detect suspicious activities or security breaches.
2. Compliance: Maintain logs for auditing and compliance requirements.
3. Performance Monitoring: Identify and troubleshoot network performance issues by examining traffic flow data.
4. Cost Management: Understand data transfer costs by analyzing traffic volume.

In summary, AWS VPC Flow Logs do not use PCAP format. Instead, they provide a high-level overview of network traffic, capturing essential metadata to help with security monitoring, compliance, performance analysis, and cost management.

The post Packet Capture and AWS VPC Flow Logs appeared first on AWS Security Architect.

PCAP (Packet Capture) files are used to record network traffic data for analysis. They capture and store data packets transmitted over a network, allowing network administrators, security analysts, and developers to examine the details of network communications. Here’s an overview of key aspects of PCAP files:

Key Concepts

1. Packet Capture: PCAP files contain captured network packets. These packets include the raw data sent across the network, along with headers containing metadata such as source and destination IP addresses, protocols, and timestamps.
2. File Format: The PCAP file format is standardized, which means it can be used across different network analysis tools. Common extensions for these files are .pcap or .cap.
3. Tools for Capturing and Analyzing PCAP Files:
   • Wireshark: A popular open-source network protocol analyzer that can capture and interactively browse the contents of PCAP files.
   • tcpdump: A command-line packet analyzer that allows users to capture and display packets being transmitted or received over a network.
   • libpcap: A portable C/C++ library for network traffic capture. It’s used by tools like tcpdump.
4. Use Cases:
   • Network Troubleshooting: Analyzing PCAP files helps identify network issues such as latency, packet loss, or misconfigurations.
   • Security Analysis: Security professionals use PCAP files to detect and investigate potential security threats, including intrusions and malware activities.
   • Protocol Analysis: Developers use PCAP files to understand and debug network protocol implementations.
5. File Structure:
   • Global Header: Contains metadata about the file, such as the version of the pcap format and the timestamp resolution.
   • Packet Headers: Each captured packet starts with a header that includes a timestamp, the length of the packet, and other metadata.
   • Packet Data: The actual bytes of the captured packet, which include both the header and the payload of the original network packet.

Basic Workflow

1. Capture: Network traffic is captured using a tool like tcpdump or Wireshark, creating a PCAP file.
2. Analyze: The captured PCAP file is opened in a tool like Wireshark for detailed analysis. Analysts can filter, search, and inspect the packet data.
3. Interpret: The data is interpreted to understand network performance, identify issues, or investigate security incidents.

Example of Capturing Traffic with tcpdump

Example of Opening a PCAP File in Wireshark

1. Open Wireshark.
2. Go to File > Open.
3. Select the PCAP file you want to analyze.
4. Use Wireshark’s filtering and analysis tools to examine the captured data.

PCAP files are essential for deep network analysis and provide invaluable insights into network traffic, making them a critical component in network administration and cybersecurity.

The post PCAP  Overview appeared first on AWS Security Architect.

The post Testing your VPN Tunnel in AWS appeared first on AWS Security Architect.

A managed Distributed Denial of Service (DDoS) protection service. It detects and automatically mitigates attacks that could potentially result in downtime for your application.

  A DDoS attack results in increased traffic for your EC2 instances, Elastic Load Balancer, Route 53, or CloudFront. As a result, these services would need to scale up resources to cope with the increased traffic. A DDoS attack usually happens when multiple systems are compromised or infected with a Trojan flooding a target system with an intention to deny a service to intended users by generating traffic and shutting down a resource so it cannot serve more requests.

AWS Shield has two tiers: Standard and Advanced. All protection under the AWS Shield Standard option is available to all AWS customers by default, without any additional charge. The AWS Shield Advanced option is available to customers with business and enterprise support at an additional charge. The advanced option provides protection against more sophisticated attacks on your AWS resources, such as an EC2 instance, ELB, and so on. The following figure shows AWS Shield tiers:

Shield – Advanced versus Standard

• Cost efficient: AWS provides free protection against network layer attacks for all its customers through AWS Shield Standard. With AWS Shield Advanced, you get protection against DDoS Cost Escalation, which prevents your cost going up in case of DDoS attacks. However, if you are billed for any of your AWS resource usage due to a DDoS attack, you can request credits from AWS through the AWS support channel.

Summary

This was meant to be a quick recap of AWS DDOS Protection options. For a private consultation, please Contact AWS Security Architect

The post AWS DDOS Protection appeared first on AWS Security Architect.

Also read – Palo Alto East West and Ingress Egress Filtering – on GCP and AWS

Routes in AWS Overview – Destinations versus Targets

Routes are composed of destinations and targets (should sound familiar if you have worked with AWS Security Groups).  Destinations can be on premises networks (CIDR Blocks), local networks (VPC CIDR Block) or the internet (0.0.0.0/0). Targets are the gateway that the route will route traffic to.

Some examples of destinations :

Alternatively, you can replace the target for the local route with the network interface of the appliance. You can do this to ensure that all traffic is automatically routed to the appliance, including traffic destined for subnets that you add to the VPC in the future.

• Local VPC Traffic destination – within the VPC (10.0.0.0/16) is covered by the Local route, and is routed within the VPC.
• On Premises Network Destination – There is a route for 172.31.0.0/16 IPv4 traffic that CAN point to either a peering connection OR a VgW (VPN Gateway).
• Internet Destination – There is a route for all IPv4 traffic (0.0.0.0/0) that points to an internet gateway.
• IPv6 Traffic to the internet – Route for all IPv6 traffic (::/0) that points to an egress-only internet gateway (Egress Only Gateways)

What if I want to route all VPC traffic through an appliance (e.g. Palo Alto Firewall)?

Alternatively, you can replace the target for the local route with the network interface of the appliance. You can do this to ensure that all traffic is automatically routed to the appliance, including traffic destined for subnets that you add to the VPC in the future.

The post Routes in AWS – Destinations and Targets appeared first on AWS Security Architect.